1 / 11

Enhancing Telephone Identity Security with STIR: Introduction & Working Group Charter

Understand the need for secure telephone identities, threats faced, and progress of STIR working group towards improving verification mechanisms for phone numbers.

grantham
Download Presentation

Enhancing Telephone Identity Security with STIR: Introduction & Working Group Charter

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. STIR Secure Telephone Identity

  2. Introduction • Context and drivers • STIR Working Group Charter • Problem Statement • Threats • Status of work • Related work and links

  3. Context – Past and Present • Calling number used to be considered as trustworthy • it is marked as such (« network provided » / asserted identity) in the signaling • it is provided by a third party which is expected to be trustworthy. • Problem: in practice it is less and less reliable • calling party numbers may be flagged by networks as asserted and trustworthy when the upstream source is not. • there is nothing in the number or the signaling to demonstrate it is being used by an entity (provider/customer) that has ‘authority’ over that number

  4. Drivers • Various applications assume a valid calling party number • calling line number presentation • Network functions • Fixed & mobile implicit/partial: voicemail authentication, customer support helpline • added value service routing, emergency service directory reverse-lookup • Implicit identification • User/application-level features • implicit identification for location based services (landlines). • implicit authentication: transaction confirmation TEXTs…, • Issues raised with number misappropriation/highjack • voice mail hacking, • robotcalling, aggressive telemarketing… • “vishing”: voice or VoIP phishing • uncivil practices known as “swatting” (false report of an incident to emergency services) • => STIR WG

  5. STIR Charter • From: http://datatracker.ietf.org/wg/stir/charter/ • The STIR working group will specify Internet-based mechanisms that allow verification of the calling party's authorization to use a particular telephone number for an incoming call. • Work will produce • A problem statement detailing the deployment environment andsituations that motivate work on secure telephone identity • A threat model for the secure telephone identity mechanisms • A privacy analysis of the secure telephone identity mechanisms • A document describing the SIP in-band mechanism for telephonenumber-based identities during call setup • A document describing the credentials required to supporttelephone number identity authentication

  6. STIR Problem Statement • From: http://datatracker.ietf.org/doc/draft-ietf-stir-problem-statement/ • In the classical public-switched telephone network, a limited number of carriers trusted each other, without any cryptographic validation, to provide accurate caller origination information • VoIP, text messaging, Caller ID spoofing have changed the game

  7. STIR Problem Statement • Use Cases Considered • VoIP-to-VoIP Call • IP-PSTN-IP Call • PSTN-to-VoIP Call • VoIP-to-PSTN Call • PSTN-VoIP-PSTN Call • PSTN-to-PSTN Call • Limitations of current solutions • Identity • Verification Involving PSTN Reachability • Credential handling

  8. Threats • From: http://datatracker.ietf.org/doc/draft-ietf-stir-threats/ • Impersonation of a calling party number enables • Robocalling • Vishing • Swatting • Even more… • Attacks • Voicemail Hacking • Unsolicited Commercial Calling • Denial of Service Attacks • The work considers various use cases of how impersonation takes place and the attack vectors

  9. Status of work • The Problem Statement document has been submitted for Publication as an Information RFC • The Threats document has another round of updates to go before being progressing to the next step toward RFC • General consensus that the signing mechanism will mimic what already exists for email-like SIP URIs john@example.com and adapt it for phone numbers: • Associate credentials with phone numbers • Define extensions in SIP to convey a “proof” that the calling ‘party’ (user/network…) has some authority over the number • Make it possible for the called party (user/network…) to verify this

  10. Become involved! • IETF • www.ietf.org • STIR work • http://datatracker.ietf.org/wg/stir/charter/ • Mailing List • https://www.ietf.org/mailman/listinfo/stir • Meeting archive from last IETF meeting • http://www.ietf.org/proceedings/89/stir.html

  11. Related work and links • STIR Working Group • http://datatracker.ietf.org/wg/stir/ • Charter and latest documents can be found there • M3AAWG • http://www.m3aawg.org/ • Voice and Telephony Anti-Abuse Workshop • http://www.m3aawg.org/vta-sig • Presentation given at IETF 89 in March 2014 • http://www.ietf.org/proceedings/89/slides/slides-89-stir-2.pdf

More Related